Web Blog_blogentry_180216_1


Researchers find two flaws in OAuth 2.0[1]#

In a PDF submission to Arxiv, the researchers said in the first attack (known as an HTTP 307 Temporary Redirect), identity providers (IdP) inadvertently forward user credentials (ie, username and password) to the relying party (RP) or the attacker. In the second attack, a network attacker can impersonate any victim.

"This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider,” the researchers said.

"In this attack, the attacker (running a malicious RP) learns the user's credentials when the user logs in at an IdP that uses the wrong HTTP redirection status code."

The researchers said that in order to fix this problem, only HTTP 303 codes should be permitted in OAuth, since "the HTTP 303 redirect is defined unambiguously to drop the body of an HTTP POST request.

The second flaw involves an attack on the RP website: "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data." ] The Man-In-The-Middle (MitM) attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.

"As a result, the RP sends the Authorization Code or the access token (depending on the OAuth mode) issued by the honest IdP to the attacker, who then can use these values to login at the RP under the user's identity (managed by the honest IdP) or access the user's protected resources at the honest IdP."

The researchers said to fix this, OAuth 2.0 should include the identity of the IdP in the redirect in some form. "More specifically, we propose that RPs provide a unique redirection endpoint for each IdP. Hence, the information which IdP redirected the browser to the RP is encoded in the request and the RP can detect a mismatch."

Using the "status" parameter within the Authorization Request or using the PK???? would stop this issue.

More Information#

There might be more information for this subject on one of the following: ...nobody